refactor: move business logic out of presentation — ReadAssetFile, checksum, auth checks, MetadataValue conversions

crates/application/tests/catalog/queries/get_asset.rs

@@ -16,12 +16,13 @@ async fn returns_asset_with_resolved_metadata() {
         relative_path: "photos/img.jpg".into(),
         checksum: Checksum::new("a".repeat(64)).unwrap(),
     };
+    let owner = SystemId::new();
     let asset = Asset::new(
         source,
         AssetType::Image,
         "image/jpeg",
         1024,
-        SystemId::new(),
+        owner,
     );
     asset_repo.save(&asset).await.unwrap();
 
@@ -42,6 +43,7 @@ async fn returns_asset_with_resolved_metadata() {
     let (returned, resolved) = handler
         .execute(GetAssetQuery {
             asset_id: asset.asset_id,
+            user_id: owner,
         })
         .await
         .unwrap();
@@ -62,8 +64,35 @@ async fn rejects_nonexistent() {
     let result = handler
         .execute(GetAssetQuery {
             asset_id: SystemId::new(),
+            user_id: SystemId::new(),
         })
         .await;
 
     assert!(matches!(result, Err(DomainError::NotFound(_))));
 }
+
+#[tokio::test]
+async fn rejects_forbidden_access() {
+    let asset_repo = Arc::new(InMemoryAssetRepository::new());
+    let meta_repo = Arc::new(InMemoryAssetMetadataRepository::new());
+
+    let source = SourceReference {
+        volume_id: SystemId::new(),
+        relative_path: "photos/img.jpg".into(),
+        checksum: Checksum::new("a".repeat(64)).unwrap(),
+    };
+    let owner = SystemId::new();
+    let asset = Asset::new(source, AssetType::Image, "image/jpeg", 1024, owner);
+    asset_repo.save(&asset).await.unwrap();
+
+    let handler = GetAssetHandler::new(asset_repo, meta_repo);
+    let other_user = SystemId::new();
+    let result = handler
+        .execute(GetAssetQuery {
+            asset_id: asset.asset_id,
+            user_id: other_user,
+        })
+        .await;
+
+    assert!(matches!(result, Err(DomainError::Forbidden(_))));
+}